Re: Odd ssh attacks?
- From: Charlie Brune <Ubuntu@xxxxxxxxxxxxxx>
- Date: Fri, 20 Jul 2007 21:12:16 -0500
Here is how I defend against ssh attacks. My two cents. YMMV.
1. Use /etc/hosts.deny and /etc/hosts.allow (you have to use BOTH of
them!). Put the following line in "/etc/hosts.deny":
ALL: ALL
That will stop all traffic to servers like sshd that pay attention to
/etc/hosts.deny. How to let stuff in? See #2.
2. Use "/etc/hosts.allow" to explicitly allow traffic from IP addresses
that you know/trust/are-willing-to-chance. You can
use something like:
sshd: 192.168.*, 71.*, 68.*
- or maybe -
sshd: all except 210.*
I think there are many many ways to specify addresses that you want to
let in. Don't forget to specify 192.168.* if you
want to get to servers from your home network. (192.168.* works for my
LinkSys router. Your address might be different.)
NOTE!!! Since we just "denied everything" in /etc/hosts.deny, you'll
have to put a line in for any service that references
this table (like dovecot, rsyncd, dovecot, etc.) where you *do* want to
let traffic in.
For me, this way is the safest. I have to explicitly allow traffic in,
so that makes me think more about what's going on.
Yes, I've heard that iptables uses less resources than /etc/hosts.deny
and /etc/host.allow do. My opinion is that the
syntax for using these two files is MUCH easier. For a home system, such
as mine, the extra cycles are just a little electricity. 8-)
3. Have sshd listen on the standard port (22) ONLY for "inside" requests
(i.e. requests NOT coming through your router). Don't open your router
up to the Internet on port 22.
4. Have sshd ALSO listen on a non-standard port and open up your router
on that port if you need to allow "outside" requests (i.e., requests
that DO come from the internet through your router. (Which port to use?
See #5).
5. In step #4, please set it up for a non-standard non-standard port.
What I mean by that is, don't using something that's somewhat obvious,
like port 2222, because that's what everyone uses. 8-) Pick something
really different, BUT make sure it's not being used for something else.
Make a note of #4 and #5. By using a "non-standard non-standard" port, I
completely eliminated attempts on my sshd server. Yay!
6. Use the "allowusers" or "allowgroups" directive in
/etc/ssh/sshd_config to only allow logons for users or groups that you
specify.
Please don't make me say this one.... okay... here goes... DON'T ALLOW
ROOT TO SSH INTO YOUR SYSTEM. ssh in using another
user and then sudo to root if you need to.
7. This one is the most fun! 8-) Remove the ability to use passwords.
Use only public key authentication. You'll have to generate a key on any
computer that you want to allow to ssh into your system and then install
its key on your computer with the sshd server.
You can Google for how to do this step (it's really not hard), or I'd be
happy to post the steps (I'll have to Google again). 8-)
This one is the most fun because if you do want to leave sshd listening
on port 22, you can watch the script kiddies banging
their heads against the wall trying to break in knowing that it's just
not gonna happen! You'd think I'd have something better
to do, but you'd be wrong! 8-)
Sorry this is so long. Hope I don't offend you "iptables" folks. 8-)
Charlie Brune
St. Louis, MO
--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
- References:
- Re: Odd ssh attacks?
- From: Art Edwards
- Re: Odd ssh attacks?
- Prev by Date: Re: Howto setup internal postfix & mailx
- Next by Date: Mobo got hosed. Any recommendation?
- Previous by thread: Re: Odd ssh attacks?
- Next by thread: scanners
- Index(es):
Relevant Pages
|
|
